aboutsummaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
-rw-r--r--roles/relayd/templates/relayd.conf.j210
1 files changed, 7 insertions, 3 deletions
diff --git a/roles/relayd/templates/relayd.conf.j2 b/roles/relayd/templates/relayd.conf.j2
index 8ef03bc..e4b1eb5 100644
--- a/roles/relayd/templates/relayd.conf.j2
+++ b/roles/relayd/templates/relayd.conf.j2
@@ -18,7 +18,6 @@ table <{{ h.ansible_host }}> { {{ h.ip.in }} }
http protocol "https" {
- tls keypair "{{ global.domain_name }}"
tls ciphers "HIGH:!AES128:!kRSA:!aNULL"
tls ecdhe "P-384,P-256,X25519"
@@ -29,14 +28,17 @@ http protocol "https" {
match request header set "Connection" value "close"
match request header set "X-Forwarded-Proto" value "https"
match request header set "X-Forwarded-Port" value "443"
+ match response header set "Content-Security-Policy" value "upgrade-insecure-requests"
- pass request header "Host" value "{{ global.domain_name }}" forward to <local>
+ tls keypair "{{ global.domain_name }}"
+ pass request quick header "Host" value "{{ global.domain_name }}" forward to <local>
{% for h in groups["servers"] %}
{% set h = dict(hostvars[h]) %}
{##}
{% if h.ip.in is defined %}
{% for service in h.services if service.domain is defined %}
- pass request header "Host" value "{{ service.domain }}.{{ global.domain_name }}" forward to <{{ h.ansible_host }}>
+ tls keypair "{{ service.domain }}.{{ global.domain_name }}"
+ pass request quick header "Host" value "{{ service.domain }}.{{ global.domain_name }}" forward to <{{ h.ansible_host }}>
{% endfor %}
{% endif %}
{##}
@@ -49,6 +51,8 @@ http protocol "http" {
# acme
pass request quick path "/.well-known/acme-challenge/*" forward to <local>
+ match response header set "Content-Security-Policy" value "upgrade-insecure-requests"
+
pass request header "Host" value "{{ global.domain_name }}" forward to <local>
{% for h in groups["servers"] %}
{% set h = dict(hostvars[h]) %}
remember that computers suck.